1 / 32

Current Issues in Maintaining a Secure System: PKI Options, Cryptography and Current Threats

Current Issues in Maintaining a Secure System: PKI Options, Cryptography and Current Threats. David Canavan, Canavan Associates David A. Crist, Permovio, Inc. (Moderator). Overview. Learning Objectives PKI, Cryptography, and Hashing Virus Protection MalWare Firewalls Disposal

tamera
Télécharger la présentation

Current Issues in Maintaining a Secure System: PKI Options, Cryptography and Current Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Current Issues in Maintaining a Secure System:PKI Options, Cryptography and Current Threats David Canavan, Canavan Associates David A. Crist, Permovio, Inc. (Moderator)

  2. Overview • Learning Objectives • PKI, Cryptography, and Hashing • Virus Protection • MalWare • Firewalls • Disposal • System Monitoring

  3. Learning Objectives • To provide participants with a cursory understanding of PKI and Public/Private Key technology. • To introduce and provide examples of virus protection, firewalls and spyware to help protect your computer from hackers. • To explain other terms frequently used with system security and examples of how they fit into the big picture.

  4. PKI- What Is It? Why Do I Have to Work With It? • Public Key Infrastructure • In cryptography, a public key infrastructure (PKI) is an arrangement that provides for trusted third party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This is usually carried out by software at a central location together with other coordinated software at distributed locations. The public keys are typically in certificates.

  5. Based on the Mathematical Field of Cryptography • Cryptography (or cryptology; derived from Greek κρυπτός kryptós "hidden," and γράφειν gráfein "to write") is a discipline of mathematics concerned with information security and related issues, particularly encryption, authentication, and access control. Its purpose is to hide the meaning of a message rather than its existence. In modern times, it has also branched out into computer science. Cryptography is central to the techniques used in computer and network security for such things as access control and information confidentiality. Cryptography is used in many applications that touch everyday life; the security of ATM cards, computer passwords, and electronic commerce all depend on cryptography

  6. What?? (Caesar Cipher)

  7. Huh? http://www.sacred-texts.com/eso/sta/img/17002.jpg

  8. Slowly We Got Better http://en.wikipedia.org/wiki/Lorenz_Cipher

  9. Then There Is the Hash http://en.wikipedia.org/wiki/Hash_function

  10. How Do We Know It Works? • Basically because very smart people say it does. In general Hash Functions should have the following qualities: • The block cipher is secure. • The resulting hash size is big enough. 64-bit is too small, 128-bit might be enough. • The last block is properly length padded prior to the hashing. • Length padding is normally implemented and handled internally in specialised hash functions like SHA-1 etc.

  11. What If I Don’t Believe You? • That’s okay. There are plenty of resources to help you understand. Cryptography has been around for about 2500 years and is well understood by those who choose to study it.

  12. Like This Guy Ron Rivest (one of the inventors of the RSA algorithm)

  13. Who Create Things That Look Like This MD5 Hash Algorithm (also invented by Ron Rivest, wicked smart)

  14. Which Produce Things Like This The hash sums seen here (in hexadecimal format) are actually the first four bytes of the SHA-1 hash sums of those text examples. http://en.wikipedia.org/wiki/Hash_function

  15. What Does That Mean? • One analogy is that of a locked store front door with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot. However, only the person who posseses the matching private key, the store owner in this case, can open the door and read the message.

  16. What Does That Get Me? • Well it all depends on how it is implemented. • PKI can provide many benefits to your organization if it is implemented with an eye towards those benefits. • It also makes you compliant with the HUD Data and Technical Standards. • Anyone here implemented a PKI? How did you do it?

  17. What PKI Should I Use? • Short answer is whatever one works for you. There are many different products out there and any one of them might be the right one. Like any other process you should evaluate what your community needs and what is the most cost effective way to meet that need.

  18. Red Hat Certificate Management System Computer Associates eTrust PKI Entrust Microsoft US Government External Certificate Authority (ECA) Nexus OpenCA (an open source publicly available PKI scheme including server software) RSA Security phpki GenCerti ejbca newpki Papyrus CA Software pyCA IDX-PKI EuropePKI (not available) TinyCA ElyCA SimpleCA SeguriData Safelayer Secure Communications Australian Government AGIMO Gatekeeper system Different Implementations (Of course neither HUD nor I am endorsing or recmmending any of these products) Their inclusion is purely illustrative.

  19. The technology of the PKI is not difficult. • Ask Ron.

  20. It’s the people that make it challenging

  21. So What Do I Do? • Identify resources that will help you make the right decision. • Those can be on the Web. • Almost every slide so far in this show is taken from Wikipedia. On purpose. • Resources can be technical assistance from National TA team. • Which conveniently, I am on. • Can be peer communities that have done this already. • Could be your HMIS solution provider.

  22. Virus Protection • Significant growth in number and variety of virus technology • Proliferation of automated attacks • Allows for constant attempts across a broad set of vulnerabilities • Truly undermines the argument that any installation is too small to be noticed • Microsoft has acknowledged “recovery from malware becoming impossible”

  23. Malware Change in Language • MALicious softWARE • Software designed to destroy, aggravate, wreak havoc, hide incriminating information, disrupt, or damage computer systems • Includes all different types of viruses, spyware, and adware

  24. Malware Protection • All major software packages offer spyware, popup, and adware detection tools • Microsoft has a beta version spyware detection and removal software available • Reinforces the importance of automated protection and monitoring

  25. Malware Prevention • Many companies are blocking employees from non-business related web browsing with technology rather than policy. • General Electric bars instant messaging, file sharing programs, and access to personal email. • JP Morgan Chase blocks any traffic it can’t trace and analyze including phone, messaging, and email programs

  26. FirewallsNot As Solid As They Used to Be • Increased permeability of firewalls means they are not as effective as they used to be in blocking attacks. • Some products being marketed as “firewall friendly” which actually means they circumvent the firewall • More and more web protocols designed to bypass typical firewall configurations (IPP and WebDAV) • ActiveX, Java, JavaScript make detection more difficult

  27. Disposal • Johnson County, Kansas • Stopped auction of old equipment in 2004 after 12 machines discovered to still have social security numbers and other private information still on them. • Has yet to implement a disposal policy • Some departments have drilled hard drives • Some have reformatted • Do you have a disposal policy? Does it meet the standard?

  28. System Monitoring • Greatest area of growth in the coming years. • Audits becoming more common • Data Trust and Accountability Act coming up • Specifically mandates that organizations make known and unauthorized disclosures of clients/customers information • Allows FTC to audit companies for 5 years after disclosure

  29. Sources • Wikipedia! • “Bullers, Finn. “Purging Computers a Priority” The Kansas City Star 11 Dec 2005 : B1 • Nareine, Ryan. “Microsoft Says Recovery from Malware Becoming Impossible” eWeek.com  4 Apr 2006 <http://www.eweek.com/article2/0,1895,1945782,00.asp • Young, Shawn. “Security Fears Prod Many Firms to Limit Staff Use of Web Services” The Wall Street Journal Online 31 Mar 2006 <http://www.careerjournal.com/hrcenter/articles/20060331-young.html> • Earthlink Spy Audit n.d. n.p. 2004 <http://www.earthlink.net/spyaudit/press/>

  30. Contact Info David Canavan Managing Director, Canavan Associates www.davidcanavan.com (413) 584-0894

More Related